Tag: firewall

  • How to whitelist a hostname in CSF firewall

    How to whitelist a hostname in CSF firewall

    Firewalls usually allow or block IP addresses. If you need to allow a hostname, you need to find the IP address and white list the IP address. If you use dynamic DNS services like noip, dyndns, the IP address of your hostname changes when your internet provider assigns you a new IP address.

    ConfigServer Security and Firewall (CSF) supports dynamic DNS. This feature can be used to whitelist normal hostnames too.

    To allow a hostname, login to your server using SSH.

    Edit file

    vi /etc/csf/csf.dyndns

    In this file, you can add your hostname to the whitelist.

    In the CSF config file, you need to make the following changes.

    vi /etc/csf/csf.conf

    Set value for DYNDNS

    DYNDNS = "600"

    This will tell the CSF firewall to check for the IP address of whitelisted hostnames every 10 minutes. You can change this as needed.

    DYNDNS_IGNORE = "1"

    By setting the value of DYNDNS_IGNORE to 1, the CSF firewall will never block these IP addresses even if there are failed login attempts or too many connections.

    restart lfd

    systemctl restart lfd

    Back to CSF Firewall

  • Install CSF firewall on Ubuntu Server

    Install CSF firewall on Ubuntu Server

    First, install libwww-perl package needed for CSF firewall

    apt -y install libwww-perl

    Install CSF with

    cd /usr/local/src
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

    Change following settings in csf.conf file

    /bin/sed -i "s/RESTRICT_SYSLOG\s*=.*$/RESTRICT_SYSLOG = \"3\"/g" /etc/csf/csf.conf
/bin/sed -i "s/SYSLOG_CHECK\s*=.*$/SYSLOG_CHECK = \"3600\"/g" /etc/csf/csf.conf
/bin/sed -i "s/TESTING = \"1\"/TESTING = \"0\"/g" /etc/csf/csf.conf

    If you need GUI enabled, edit file

    vi /etc/csf/csf.conf

    Modify following settings

    UI = "1"
UI_PORT = "8282"
UI_USER = "username"
UI_PASS = "password"
UI_ALLOW = "0"
  • Whitelisting an IP Address in CSF Firewall

    Whitelisting an IP Address in CSF Firewall

    There are 3 ways to whitelist an IP address in ConfigServer Security & Firewall (csf). Whitelisting an IP address will allow the IP address to access all ports on the server including any closed ports. For example, you can block SSH port 22 on the server. Then add your IP address to the whitelist, now you will be able to access SSH from your IP address.

    Using WHM

    Login to WHM as user root. Then go to WHM > Plugins > ConfigServer Security & Firewall.

    whitelist IP in csf

    On the text box right side of the “Quick Allow” button, enter the IP address you need to whitelist. Then click on the “Quick Allow” button.

    The Quick Deny option below can be used to block an IP address from accessing the server.

    Quick Ignore allows you to ignore any IP address. This is the same as Quick ALlow. The difference is if you whitelist an IP address using the Quick Allow option and if the IP fails some ModSecurity rules or makes several failed logins, it gets blocked. If you ignored an IP address, it will never get blocked by ModSecurity or lfd.

    Using csf command

    If you are logged in to SSH or WHM > Terminal, you can run the following command to whitelist an IP address.

    csf -a IP_ADDR_HERE

    IP address can be a single IP address or IP range in CIDR format.

    To block an IP, use

    csf -d IP_ADDR_HERE

    Manually editing csf.allow

    To allow an IP or IP range (CIDR format), you can edit the file

    vi /etc/csf/csf.allow

    If you need to Ignore an IP address, then add IP to file

    vi /etc/csf/csf.ignore

    IPs added to csf.ignore will never get banned due to LDF or ModSecurity failures. Ips in csf.allow can be blocked by ModSecurity or lfd.

    Add your IP to the file. Then restart csf firewall.

    csf -r

    See csf

  • Firewalld

    firewall-cmd is used to manage firewall (iptables). It is used by default on latest version of CentOS, RHEL.

      Check firewall status

      To see if firewall is running of not use

      firewall-cmd --state

      or

      systemctl status firewalld

      To disable firewalls

      systemctl stop firewalld
systemctl disable firewalld

      Open a port in firewall

      To allow HTTP and HTTPS traffic, run

      firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --permanent --zone=public --add-service=ssh
firewall-cmd --permanent --zone=public --add-port=25/tcp
firewall-cmd --reload

      Permanent option make the changes permanant. You need to reload firewall after using –permanent. If you want to open a port in current session and make it permanant, run the command with and with out –permanent.

      Open a port range in firewall

      firewall-cmd --zone=public --add-port=22-65535/tcp

      Close a port in firewall

      To close a port, you can use command same as you open with –add replaced with –remove.

      firewall-cmd --permanent --zone=public --remove-service http
firewall-cmd --permanent --zone=public --remove-port 25/tcp

      Whitelist an IP address

      firewall-cmd --zone=trusted --add-source=IP_ADDR_HERE

      To remove an IP, use

      firewall-cmd --zone=trusted --remove-source=IP_ADDR_HERE

      Firewalld Zones

      Zone is a collection of rules that can be applied to a specific interface. Some useful commands are

      firewall-cmd --get-active-zones
firewall-cmd --get-default-zone
firewall-cmd --list-all-zones
firewall-cmd --info-zone=public

      Zones are stored in /usr/lib/firewalld/zones

      Services

      Services are pre-made rules for a specific application. Some useful commands are

      firewall-cmd --get-services
firewall-cmd --info-service SERVICE_NAME_HERE

      Services are stoed in /usr/lib/firewalld/services/ or /etc/firewalld/services/.

      Save run time configuration into permanant

      firewall-cmd --runtime-to-permanent

      iptables

      See firewall

    • Firewalld list all open ports

      Firewalld list all open ports

      To list all open ports in firealld, run

      firewall-cmd --list-ports

      You may need to also use 

      [root@oc1 ~]# firewall-cmd --list-services
http https ssh
[root@oc1 ~]#

      Example

      firewalld list ports

      See firewalld

    • Firewalld list rules

      To list rules use command

      firewall-cmd --list-all --zone=public

      To list all open ports

      firewall-cmd --list-ports

      Example

      [root@centos7 zones]# firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="10.1.1.2/32" port protocol="tcp" port="1-65535" accept'
success
[root@centos7 zones]# firewall-cmd --list-all --zone=public
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0 eth1
  sources: 
  services: dhcpv6-client ssh
  ports: 25/tcp 9090/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
        rule family="ipv4" source address="10.1.1.2/32" port port="1-65535" protocol="tcp" accept
[root@centos7 zones]# firewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" source address="10.1.1.2/32" port protocol="tcp" port="1-65535" accept'                                            
success
[root@centos7 zones]# firewall-cmd --list-all --zone=public
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0 eth1
  sources: 
  services: dhcpv6-client ssh
  ports: 25/tcp 9090/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

[root@centos7 zones]#

      See firewall-cmd

    • Install CSF Firewall

      For non cpanel server, install perl modules

      yum install -y perl perl-libwww-perl perl-Time-HiRes unzip bind-utils

      On Ubuntu

      apt-get install libwww-perl

      Once we have requirments installed, install csf with

      cd /usr/local/src
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

      sed -i "s/RESTRICT_SYSLOG = \"0\"/RESTRICT_SYSLOG = \"1\"/g" /etc/csf/csf.conf

      See csf

    • Block Country in CSF firewall

      CSF firewall can block all traffic from a country or list of countries using the GeoIP database.

      To block a country, edit the file

      /etc/csf/csf.conf

      Find

      CC_DENY=""

      Replace with

      CC_DENY="2_LETTER_COUNTRY_CODE"

      Here is an example to block all traffic from China

      CC_DENY="CN"

      If you want to block another country, you can add it like

      CC_DENY="CN,RU"

      Now restart CSF firewall with

      csf -r

      See CSF firewall

    • Disable IP Block Alerts in CSF Firewall

      To disable IP block alert in CSF firewall, run

      sed -i "s/LF_PERMBLOCK_ALERT\s*=.*$/LF_PERMBLOCK_ALERT = \"0\"/g" /etc/csf/csf.conf

      Restart lfd and csf

      systemctl restart lfd
csf -r

      See csf firewall

    • How to Block a Country in CSF firewall

      To block all traffic from a country in CSF Firewall edit file /etc/csf/csf.conf

      vi /etc/csf/csf.conf

      Find the line

      CC_DENY = ""

      In this line, you can add 2 Letter country code. For example to block China and Russia, add

      CC_DENY = "CN,RU"

      Now you need to restart firewall with command

      systemctl restart lfd
csf -r

    • firewall

      https://opnsense.org

    • Unban an IP from CSF Firewall

      Unban an IP from CSF Firewall

      To unban an IP from CSF firewall, run

      csf -dr IP_ADDR

      Here i have an IP blocked in firewall.

      [root@server22 ~]# iptables -L -n | grep 13.224.29.193
DROP       all  --  13.224.29.193        0.0.0.0/0           
LOGDROPOUT  all  --  0.0.0.0/0            13.224.29.193       
[root@server22 ~]#

      To see if CSF is blocking the IP, run

      csf -g IP_ADDR

      Example

      This command also give reason for why the IP is blocked.

      Lets unban the IP address with command

      csf -dr IP_ADDR

      Now IP should not be listed in iptables, verify it with

      iptables -L -n | grep IP_ADDR

      csf